Final Hazard Profile – Cyber Threat “Cyber threats are no longer limited to identity theft, bank hacks or the embarrassing leak of private e-mails. It’s become an all-encompassing threat that has the ability to shut down our hospitals, breach our dams and prevent the delivery of important goods to our ports. It is a matter of public safety that extends far past the borders of IT and now requires a community effort to stay ahead of those wanting to do harm.” (Governor Jay Inslee in his August 19th, 2015 Letter to the Deputy Secretary of the U.S. Department of Homeland Security). Introduction What would happen if you couldn't connect to the internet or conduct business electronically? What if all your data was lost or inaccessible? What consequences can you expect? Do you know what steps are needed to recover? These questions among others should create preemptive planning to better prepare for the cyber threat facing Washington's technological infrastructure. Washington State is home to companies that are leading global innovation and commerce and generating billions of dollars in business. The citizens of the state depend on public and private networks for access to business, information, and essential services. In the Significant Cyber Incident Annex to the Washington State Comprehensive Emergency Management Plan (CEMP), a significant cyber incident is defined as “an event that is likely to cause, or is causing, harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity, or availability of electronic information, information systems, services, or networks; and/or threaten public safety, undermine public confidence, have a negative effect on the economy, or diminish the security posture.” A significant cyber incident impacting key assets could have adverse effects which may cause harm, destruction, or loss of local and national significance (2011 National Preparedness Goal). Mitigating the cyber threat requires planning, training, collaboration and information sharing among trusted organizations. This hazard profile is intended to provide and summarize threat information to assist planners in preparing for cyber emergencies, protecting assets, identifying vulnerabilities, anticipating damages, and protecting stakeholders. It is recommended that executive leaders and policy makers prioritize cyber emergency preparedness efforts both internally, as part of business continuity and disaster recovery efforts, and externally, working closely with community partners and emergency managers at all levels of government. Washington State Threat Mitigation Plan October 2015 Tab 5.18 – Cyber Threat Profile – Page 1 Cyber Risk Level Frequency - Washington State ranked 10th in reported incidents of cyber crime in 2010 and 8th in 2013. Nearby states have reported seeing increased suspicious cyber activity over a 3 year span from 2 million to 20 million events per day. The frequency of nefarious cyber incidents will continue to increase especially in the more populated areas which represent the largest targets of opportunity for community disruption. A 2014 Cost of Data Breach: Global Analysis reported companies estimated an average of 17 malicious codes and 12 sustained probes monthly. People - Approximately, 7.1 million Washington state residents depend on basic necessities and services (2014 U.S. Census Bureau estimate). Areas with higher concentrations of people and businesses are inherently more dependent on networked systems for their life sustaining services, and are therefore considered at higher risk of an emergency resulting from a significant cyber incident. A successful breach of critical public and private networks could Washington State Threat Mitigation Plan October 2015 Tab 5.18 – Cyber Threat Profile – Page 2 severely diminish or destroy basic public utilities, fuel, health care systems, emergency medical services (EMS), communications, and governance to at least 50% of the population. (Calculated using counties along the I-5 corridor and counties with population over 100,000 divided by the 7.1M estimate.) Property - The data stored on public and private networks is property in and of itself and is often the prime target of cyber criminals or lost during significant cyber outages. The most valuable data is consumer, financial, medical, intellectual property, and government information. A catastrophic incident/outage or a successful cyber-attack or breach can due untold damage. Cyber incidents can also cause physical damage to property like the December 2014 spear phishing attack on a German steel factory which disrupted the shutdown procedures for one of the plant’s blast furnaces and resulted in massive damage to the plant. Another earlier example is the explosion of an oil pipeline in Turkey in 2008 which was believed to be the result of Russian hackers accessing the control systems of the pipeline and causing super pressurization. Clearly the cyber threat profile can result in both virtual and physical property damage. Economy - The economic impact of cyber incidents depend on the size of the impacted company or community, type of attack or incident, and the physical manifestation of the network outage or disruption. Compromise of consumer information and/or financial data can severely damage the reputation of a company and due immeasurable harm to revenue generation. The loss of essential business data (Amazon) in certain sectors could shut down businesses permanently. The International Data Corporation (IDC) estimated the 2013 global loss to enterprise organizations from malware infected counterfeit software at $112 billion, nearly $350 billion in data breaches, and 1.5 billion hours lost. In a June 2014 Intel Security/McAfee report, cybercrime and espionage cost an estimated $445 billion globally which includes Microsoft Corporation. Microsoft's most current estimate is closer to $500 billion. There are no current economic estimates specifically for the state of Washington, however, Ponemon Research evaluated 257 small to enterprise level organizations around the globe to calculate the average recovery cost and expense caused by cyber breaches. Business disruption represented the highest external cost followed by information loss. Costs ranged from $567,000 for small business to $60.5 million for enterprise (Ponemon Institute, 2014 Cost of Cyber Crime Study: United States). Environment - A significant cyber incident impacting industrial control systems such as supervisory control and data acquisition systems (commonly placed together in the acronym ICS/SCADA) that control public utilities like waste water treatment facilities or sewage processing services could cause immediate environmental and health concerns in higher population areas. Additionally, an attack on the power grid would affect nearly all basic services including the capability to heat homes, store food and/or run other critical basic life- sustaining functions. A fuel or chemical spill resulting from disruption to railway or traffic control systems could severely damage surrounding land and connected water ways irreparably for years and cost billions to cleanup. Washington State Threat Mitigation Plan October 2015 Tab 5.18 – Cyber Threat Profile – Page 3 Note: Applying total cost of a cyber incident depends on aggregated factors such as the type of data compromised, systems repaired, any financial penalties, liabilities, and reparations as well as any services like credit or identity monitoring. Total cost can't be calculated until the process is complete. Confidentiality also skews cost in some cases. The Hazard For purposes of this Hazard Profile, the cyber threat is considered a human caused technological threat, though it is acknowledged that cyber emergencies could result from the physical destruction of infrastructure during an earthquake or other natural disaster. Cyber emergencies can be caused accidentally from faults in software programming code, or deliberately by malicious hackers. The risk of coding errors occurring increases exponentially with the invention and introduction of new generations of programming languages that are purposely designed to use and reuse modules from previously written programs. Reused code may have hidden vulnerabilities. The sheer size and length of modern software programs makes it impossible to check every line of code for hazards as was the case during the March 2014 Emergency 911 outage in the pacific northwest which caused over 4500 calls to go unanswered. With regard to malicious actors, hackers that illegally breach systems or compromise networks do so for any number of reasons including the desire for financial gain, the challenge of breaking in to a system, political activism, terrorism, or espionage. Hackers typically attack a network through the path of least resistance which most often means through profiling, targeting, and obtaining of end-user credentials to bypass network perimeters. If the network or system can't be breached directly, hackers will look "downstream" for a vulnerable access point which may be an unsecure system on an affiliated network or application. Even if no data is taken or systems damaged, once a network has been compromised, security engineers should assume the worst till a proper assessment has been performed verifying that all systems are secure. A hacker may have simply mapped the network for future attack or shared that Washington State Threat Mitigation Plan October 2015 Tab 5.18 – Cyber Threat Profile